Researchers Hack the Mitsubishi Outlander SUV, Shut Off Alarm Remotely

Reader Orome1 writes: Mitsubishi Outlander, a popular hybrid SUV sold around the world, can be easily broken into by attackers exploiting security weaknesses in the setup that allows the car to be remotely controlled via an app. After discovering the SSID and the pre-shared key, they connected to a static IP address within a network's subnet, and this allowed them to sniff the Wi-Fi connection and send messages to the car. Through these messages they were able to turn the car's lights, air conditioning and heating on and off, change the charging programme and, most importantly, to disable the car's anti-theft alarm.

Remotely control the car via. app

Who ever thought of this should get a Nobel Prize.

Re: Remotely control the car via. app

David Hasselhoff claims prior art!

IOT = Internet of Troubles

[scsirob]

In their effort to make things ever easier for consumers, and to improve time-to-market, manufacturers skip the most basic security best practices.
This will kill the IOT market in general. Ever more gadgets with ever weaker security.

Re:IOT = Internet of Troubles

[Hentes]

Now I'm not a fan of IoT either but this has nothing to do with it. It's just a badly set up WLAN (with no internet access).

Mitsubishi still makes cars?

[damn_registrars]

They've been at the top of the list of "Japanese car makers that won't be around much longer" for a few years now. So few of them are sold in the US currently that I was starting to think perhaps they quietly went under or were absorbed by Toyota. Their long running Lando Calrissian approach to car manufacturing can only last so long, really.

Re:Mitsubishi still makes cars?

[h4ck7h3p14n37]

The last time I checked, Mitsubishi was at less than 0.6% of the U.S. market. Apparently Mitsubishi is a big enough corporation that low sales volume of their automobiles in the U.S doesn't matter much. The dealer claims they're not going anywhere.

If you're looking to buy a reasonably priced, turbo, AWD vehicle you don't have much choice between Subaru and Mitsubishi unless you're willing to spend twice as much.

Re:Mitsubishi still makes cars?

[damn_registrars]

If you're looking to buy a reasonably priced, turbo, AWD vehicle you don't have much choice between Subaru and Mitsubishi unless you're willing to spend twice as much.

There is certainly a segment of the market that values the Evo and the WRX STI. I am not of that segment and it goes beyond my disdain for whale tails on my back bumper.

To me, those cars answer a question I have never asked or felt a reason to ask. I have never found myself looking for a car with massive turbo lag, poor fuel economy, a back seat that nobody over 5'8" can sit in for more than 10 minutes, and a requirement for premium gas. Sure, they are fast with the turbo fully spooled up and running wide open but before that happens they are not very impressive and they really don't have a point where their fuel economy is ever even slightly impressive for their size and price. Real world fuel economy on the decked out Evo or WRX STI is close to that of the Ford F150 EcoBoost, which is not much slower but vastly more utilitarian (and runs on regular gas).

Re:Mitsubishi still makes cars?

[bobbutts]

Focus RS recently crushed the STI and Golf in a Car and Driver comparison test http://www.caranddriver.com/comparisons/2016-ford-focus-rs-vs-subaru-wrx-sti-vw-golf-r-comparison-test. The more recent turbos have much less lag vs. the older ones. I have a '15 Forester XT that replaced an '07 (similar engine to the wrx) and the difference is obvious and substantial.

Re:Mitsubishi still makes cars?

[0100010001010011]

quietly went under or were absorbed by Toyota.

Seriously? Mitsubishi is in mining, shipbuilding, telecom, financial services, insurance, electronics, automotive, construction, heavy industries, oil and gas, real estate, foods and beverages, chemicals, steel, aviation and others.

It's a Japanese Keiretsu, they are not "quietly going under" or being "absorbed by Toyota" any time soon.

Hmmm..

[wierd_w]

I remember about 8 years ago, mentioning that the proposed smart cars the industry was crowing about would be a hacker's paradise, because of compounding costs of manufacture driving security based design out the window.

Seems I was right, despite all the loud objections I got that called me crazy. Fancy that. /shameless self promotion

Really, these recent reports of hackable cars all fail for the same reasons: The car's internal network is presumed secure, instead of presumed hostile. This ignores the primary rule of security-- if you can get local access, the security should be assumed broken.

Ideally, the data being sent through the internal network should be encrypted with unique keys between components, initially seeded at the factory with unique one time pads. The wifi network should be isolated completely from the internal network as well, and any instruction given should have a handshake challenge before being accepted.

All of those things will increase the costs of the vehicle considerably though, which is why none of the manufacturers are doing it.

It will require federal legislation to impose regulations for vehicle safety before that happens.

Re:Hmmm..

[viperidaenz]

initially seeded at the factory with unique one time pads

Great way to increase the sales of genuine spare parts.
Wrecking yards won't be able to resell second-hand components.

Poor system design

[bobdehnhardt]

Every time I read about these, it strikes me that it all goes down to poor system design. The computers and functions dealing with the operation of the car need to be isolated from the entertainment systems, including WiFi, at least so far as inputs are concerned. Apps that allow the user to unlock the doors or start the engine, WiFi and OnStar systems that allow on-the-air updates of control software, these are all inherently insecure and always will be! They tie into systems that need to be air-gapped and only accessible via physical access to the car.

Security is almost always a trade off with utility or convenience. But auto makers have gone way too far, to the point of threatening public safety. These car computer systems need to be redesigned from the ground up with proper security practices and risk assessments in place.

Re:Poor system design

[Gravis+Zero]

The computers and functions dealing with the operation of the car need to be isolated from the entertainment systems, including WiFi, at least so far as inputs are concerned.

sadly, i think that's something that will need the force of law before they will start abiding by such basic security precautions.

Re:Poor system design

[nukenerd]

You seem to be underestimating how useful these features are. Being able to turn on my engine and warm the car (read: melt the ice on the window so it's drivable) from my bed seems like a VERY useful feature.

Fuel must be nearly free where you live; have you any idea of how inefficient that is? (and non-green, even though I am not a green fan much myself)

I leave an old rug on the windsceen overnight, and a hot water bottle in the car directly under the windscreen while I am eating breakfast. Anyway, I would feel extremely uneasy about starting my car remotely, especially if I could not even see it. It amazes me that it is legally possible.

Re:Poor system design

[POPE+Mad+Mitch]

The thing is that so far they have used the wifi to access only the functions that the wifi system is meant to have access to, those functions are supposed to be limited to the owner so yeah theres a security issue there, a mitm attack it reads like.

but. It doesn't give access to anything terribly exciting, or dangerous. "oooh scary they can drain the drive battery" (by activating the pre-heater), it's a hybrid, it has a petrol engine, that battery drain could cost you whole pennies in extra fuel on your journey. sigh.

If your going to freak out about security then the keyless door entry would be the more tempting attack vector, the old "use a signal booster to unlock the car" trick, then you have access to the OBDII port directly and could maybe cause some real problems.

Re:Poor system design

[EndlessNameless]

Anyway, I would feel extremely uneasy about starting my car remotely, especially if I could not even see it. It amazes me that it is legally possible.

I agree with the rest, but this I don't understand.

A remotely started car will still be in park, and it will remain locked. Now, the owner could unlock it from his basements and leave it running for hours, of course, but that would be rather stupid.

No matter

No one wants to steal a Mitsubishi anyway.

Re:What's Security?

[wierd_w]

if done RIGHT, internet connectivity of the network of devices inside the car has all kinds of benefits.

1) devices that control fuel efficiency can have their firmwares updated by the manufacturer OTA, improving the product without ever taking it to a dealership for service.

2) Anomalies in function can be solved through the same mechanism as 1 above.

3) The obvious: Map data, fine location sensing from know wifi hotspots nearby, cloud data services, and other directly user-facing capabilities.

The issue: These vehicles do NOT do it right. They act like a local wired LAN, with each connected system treating the others as trusted peers, with no challenge/handshake or encryption. There is no digital signature checking on firmware or map data downloads, so man in the middle or local hacks are easy. These are terrible things, done out of cheapness and laxity of consideration for secure designs.

Actual technical info

Here's the original source, not a spammy blog, written in broken english:

https://www.pentestpartners.co...

Re:Surprise surprise

[WarJolt]

Tesla doesn't have the same engineering model. Most car manufacturers have internal cultures that prize these simple lightweight solutions because they need to design for incredibly low margins. They hire tons of EEs to write software who've never been formally trained in network security. They implement custom unproven protocols for EVERYTHING. Basically everything we've done to make the internet work they ignore and think they know better.

Re:What's Security?

[internerdj]

Don't forget it is also a stepping stone technology for a communication backbone for automated driving. Most of the add-on features today are small bites of the autonomous puzzle.

There are no consequences for bad security

[schwit1]

Other than bad publicity.

The status quo will not change until CEOs are held criminally liable or terrorists(hackers) start crashing cars into each other.

Re:Surprise surprise

[cayenne8]

More second rate engineering from car manufacturers. After seeing stuff like this, I can't imagine why someone would want an even more complex car like a Tesla.

Yep.

I just can't WAIT for my more connected car...then, my fucking SELF driving car...yeah, nothing can go wrong there....

[rolls eyes] I supposed all these years of me physically driving and being responsible for for the cars behavior, good to throw that all out the window.

I as a human, can't really be hacked remotely like this (I keep my tin foil hat on at all times)....but sure, let's throw that model out, and trust the car companies that so far, have NEVER shown the proclivity to actually secure their systems they have to date....to control our transportation future.

Long Live the Johnny Car!!!

Re: Total hax, man

[viperidaenz]

Have you read the DMCA? Security researching is explicitly exempt.

It was also not done in the USA, so I don't know what the DMCA has to do with it at all.

Re:Surprise surprise

[0100010001010011]

Yep. This is what happens when you make EEs design network stuff. Stuff like the CAN bus is incredibly open because it wasn't thought of as a network that needed 'security'. If our cars are going to have networks they need to hire people that take care of 'traditional network' security.

Re:What's Security?

[smooth+wombat]

1) devices that control fuel efficiency can have their firmwares updated by the manufacturer OTA, improving the product without ever taking it to a dealership for service.

2) Anomalies in function can be solved through the same mechanism as 1 above.
________

Because what I want is someone I don't know fooling around with the car I bought and own any time they want without me knowing it.

That sounds completely logical.

Re:What's Security?

[nukenerd]

if done RIGHT, internet connectivity of the network of devices inside the car has all kinds of benefits.

1) devices that control fuel efficiency can have their firmwares updated by the manufacturer OTA, ... without ever taking it to a dealership for service.

....
Most people do take their car for a routine service anyway. Such updates cannot be that urgent.

2) Anomalies in function can be solved through [firmware updates]

No thanks. I have a Jeep Grand Cherokee and there were some rare cases of the transfer case (TC) putting itself into neutral while parked (the circumstances seemed dubious according to Jeep owners' forums). If the owner had not bothered to apply the handbrake also the car could roll away. Jeep's "solution" to absolve themselves was a software patch to fix the TC in High (ie normal road) ratio. This disabled neutral but also the Low ratio, thus limiting its usefulness as an off-roader etc (I have pulled tree stumps out with mine in "Low").

Result was a load of owners (including me) not wanting to let a dealer plug their car into their computer (which would promptly upload this patch). I generally have the same attitude to car software patches as I have to the Windows 10 "upgrade". And I apply the handbrake when I park.

This is only going to get worse

[jonwil]

The EU has recently mandated that new cars need wireless technology so they can automatically dial emergency services in an accident. So now even more cars with have vulnerable wireless links to the outside world that could potentially be exploited by hackers.

Re:This is only going to get worse

[POPE+Mad+Mitch]

You are referring to the eCall system, it is mobile phone (GSM) based, and is meant to remain dormant until there is an accident, at which point it calls the emergency services and reports the location and a few other limited pieces of info. There are quite strict rules on data privacy and anti-tracking that go with it.

Re: Total hax, man

[davester666]

It has to do it that way, because it can't get up to 88 mph.

Re: What's Security?

[EndlessNameless]

What happens in 50 years when all cars drive them themselves, are networked and so done want to cripple our infrastructure.

That is simple enough. Require autonomous vehicles to be capable of navigating safely without network connectivity.

Since manually-driven vehicles and autonomous vehicles will coexist for a while, the first networked autonomous vehicles will definitely support an "offline mode" that does not require peer interaction. Simply require that it be kept as a backup in case the network is down.

On top of that, if vehicles can be setup or started in offline mode then it should be fairly simple to stop a worm, mitigate DoS, etc.

We won't magically lose standalone autonomous driving capabilities just because networked vehicles are more efficient.

Re:What's Security?

[knorthern+knight]

4) The vehicle can be remotely disabled/shut-down by the dealer if you don't make your monthly payment on time.

5) The vehicle can be remotely disabled/shut-down by the police if they merely suspect that you might have been remotely connected to a crime. "Shutdown first, and ask questions later".

6) The vehicle can be remotely disabled/shut-down by criminals on the other side of the planet. who demand payment in Bitcoins to re-enable the car.